[Oisf-users] Question regarding a missed signature from AF-Packet

Jeremy A. Grove jgrove at quadrantsec.com
Thu Sep 6 19:23:16 UTC 2018

I am using Suricata 4.1 on Debian with AF-Packet. I have recently tested the configuration by specifically looking for Suricata to alert on content in the body of the HTTP POST. Suricata did not trigger and it led me to repeat the process while recording a PCAP. When I run the PCAP through Suricata then Suricata alerts accurately and as expected. 

My question is centered on where I should be looking for the difference in the configuration that would lead to no alert via AF-PACKET and then an alert generated with same traffic through PCAP. 

Any direction will be helpful. I have given some of the configuration dump below. 

af-packet = (null) 
af-packet.0 = interface 
af-packet.0.interface = e1 
af-packet.0.cluster-id = 99 
af-packet.0.cluster-type = cluster_flow 
af-packet.0.defrag = yes 
af-packet.1 = interface 
af-packet.1.interface = e3 
af-packet.1.cluster-id = 98 
af-packet.1.cluster-type = cluster_flow 
af-packet.1.defrag = yes 
af-packet.2 = interface 
af-packet.2.interface = e4 
af-packet.2.cluster-id = 97 
af-packet.2.cluster-type = cluster_flow 
af-packet.2.defrag = yes 
af-packet.3 = interface 
af-packet.3.interface = default 

pcap-file = (null) 
pcap-file.checksum-checks = auto 

Jeremy Grove, SSCP 
Security Engineer 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180906/3c2463f0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2223 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180906/3c2463f0/attachment.bin>

More information about the Oisf-users mailing list